While Sage clearly need to do something to improve their login security model, the Kashflow approach of placing an https login form on pages that are not protected by an SSL certificate could not be described as "security best practice". You place your users at greater risk of falling prey to "phishing" attacks which are a far more popular and effective means of harvesting user names and passwords than actually trying to intercept clear text passwords when they are being transmitted over the ether.

As for the ICAEW guide to online accounting software, the body of the guide is a balanced and informative piece by a respected author in the field and to call it "half-baked" because you didn't get a free piece promoting your business seems somewhat unwarranted, especially considering we are working in an industry where the products are never finished and so by definition are half-baked. Reading the guide you will see that Kashflow gets equivalent coverage in comparison to both those who contributed to the cost involved in preparation of a product review at the end of the guide and those who elected not to when it was offered.

Given the target audience and the expected shelf life of such a guide compared to typical off-the-page advertising the cost of inclusion was pretty good value and I am sure that Kashflow could have stretched to the amount being asked.

There are many ways to deal with SaaS security but having passwords in clear text is not one of them. Perhaps someone should educate Sage on the merits of encryption, cookies, session variables or FormsAuthenticationTickets - (NET) & so on....

Still it should probably be no surprise bearing in mind that L50 has(d?) issues with record locking even after many years in production; try rebooting L50 without shutting down and one used to get all sorts of nonsense about resetting users - great dynamic system locking ....!

Unfortunately Sage really have not understood the basic principles of online systems and a stateless medium; with this in mind they should probably withdraw these products immediately

Of course really the disappointing thing about this, is the influence (damage) Sage will have on the minds of the general public by raising possible doubts about security, especially when every other supplier has done their best to reassure the users

Basically Sage is a marketing company (a very good one) and NOT a technology company, which this episode undoubtedly proves. Furthermore they have left joining the SaaS party so late in the day that they now go head to head with mature established competition

What will be very interesting is how they perform upgrades & future release for their online products. Releasing an app in one place (server) is a vastly simplified aproach, however, the impact of getting it wrong is immediate and far reaching; with Sage's seemingly sloppy procedures this might well be a receipe for disaster and if they get it wrong it could well be their death nell because there will be no lack of free advertising on the subject!!

The message is simple - Sage should stick to what they know - advertising .... and sub-contract out their system development

This is perhaps the difference between the old and new media styles, Duane. While I openly admit that your little quip about advertising did provoke me into action, the article merely reports what has been going on. I am not really interested in taking sides, since I've got to deal with both of you on a regular basis.

Good reporting also demands putting allegations directly to the party concerned, which I have done. While Sage let me know that it's not their style to dive into online flame wars, I did suggest to them that the hands-off approach to bloggers and forums put them in an invidious position where assertions, allegations and criticisms went unchallenged. This, of course, plays into the hands of those who want to characterise Sage as slow to react and remote from the latest developments.

If something gets to the point where Sage does respond, it may well involve m'learned friends, which gives people like you the opportunity to call the company a bully.

Not surprisingly, Sage declined to comment on the conundrum it faces here. Sage does a very good job doing what it does, and makes lots of money - and as the market leader it will always be the target for snipers (much like Microsoft). Conflicts like this don't amount to much in the long term - but people like reading and arguing about them, which is what this site is about.

I do find it interesting how media guerillas like you are able to exploit the available tools to gain publicity and can definitely see that direct interaction like this presents a big challenge for traditional corporate marketing methods.

Here's to open and honest online debate.John StokdykTechnology editorAccountingWEB.co.uk

These sort or comparisons are generally taken with a 'pinch of salt' anyway, because nobody in their right mind is going to provide a benchmark that is better than their own.

All Sage have done is highlight an area that most would probably have overlooked, by bringing it into the spotlight, thereby giving credence to the claims and shooting themselves in the foot along the way.

This sort to bad judgement by Sage is an absolute advertising gift to Duane and yet Sage don't seem to have grasped this simple fact. One couldn't have paid for this type of advertising